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This paper presents the Pi-graphs, a visual paradigm for the modelling and verification of mobile sys- 
tems. The language is a graphical variant of the Pi-calculus with iterators to express non-terminating 
behaviors. The operational semantics of Pi-graphs use ground notions of labelled transition and 
bisimulation, which means standard verification techniques can be applied. We show that bisimilar- 
ity is decidable for the proposed semantics, a result obtained thanks to an original notion of causal 
clock as well as the automatic garbage collection of unused names. 

1 Introduction 

The 7r-graphs is a visual paradigm loosely inspired by the Petri nets. It is a graphical variant of the 
7r-calculus |[m with similar constructs and semantics. The formalism is designed as both a modelling 
language and a verification framework. 

The design of a graphical modelling language has subjective motivations: intuitiveness, aesthetics, 
etc. One design choice we retain from mainstream visual languages (UML, Petri nets, etc.) is staticness: 
the preservation of the diagrammatic structure along transitions. Most graphical interpretations of the 
7r-calculus involve dynamic diagrams: nodes and edges are created/deleted along transitions lfT0l[14i r711. 
In contrast, the structure of the Ti-graphs does not evolve over time. The idea is to "move" names around 
a static graph, using an inductive variant of graph relabelling (H. For non-terminating behaviors, we use 
iterators Q, a suitable static substitute for control-finite recursion. 

Beyond modelling, our second axle of research is verification with more objective goals. One dif- 
ficulty is that the usual semantic variants of the n -calculus (early, late, open) rely on non-ground tran- 
sition systems and/or bisimulation relations, which leads to specific and rather non-trivial verification 
techniques e.g. lfl6l[T7l l6l. The 7i-graphs, on the contrary, use ground notions of labelled transition and 
bisimulation, which means standard verification techniques can be applied. Of course, there is no magic, 
the "missing" information is recorded somewhere. First, each % -graph state is attached to a clock. As ex- 
plained in 1 15 ), the clock is used for the generation of names that are guaranteed fresh by construction. It 
is also used to characterize a form of read-write causality [4J. Moreover, the match and synchronization 
constructs are interpreted as the dynamic construction of a partition deciding equality for names. 

There are, however, two sources of infinity in the proposed model. First, the logical clocks (used in 
lfl5l ) can grow infinitely. Moreover, the generated fresh names are never reclaimed. This means that in- 
finite state spaces can be constructed even for very simple iterative behaviors. To avoid the construction 
of infinite state spaces, we first introduce an original (and non-trivial) model of causal clocks, which pro- 
vide a more structured characterization of read-write causality. As a second "counter-measure" against 
infinity, we develop an automatic garbage collection scheme for unused names in graphs. As a major 
result, we show that bisimilarity is decidable for the proposed semantics. 

The outline of the paper is as follows. In Section [2] we introduce the diagram language and the 
corresponding process algebra. In Section[3]the operational semantics is proposed. The finiteness results 
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Figure 1 : Example with mobility (abridged) 



are developed in Section @] Related work is discussed in Section [5] 



2 The diagram language and process algebra 



The 7r-graphs is a visual language inspired by (elementary) Petri nets. The control flow is characterized 
by interconnected places with token marks. A data-part models the names and channels used by the 
processes to interact. This is realized by placeholders called boxes that can be instantiated by names. 
Places and boxes cannot be arranged arbitrarily, and the 7i-graphs must conform to the syntax described 
in Table[T](see page|52l). The basic syntactic elements are roughly the ones of the 7i-calculus (cf. ifTTlD : 
input, output, silent action, non-deterministic choice and parallel compositions. A notable difference is 
that most of the constructs (even match, parallel and sum) are considered in prefix position. Moreover, 
the process expressions must be suffixed by an explicit termination 0. 

As an illustration, consider the example of Figure [T] This is an archetype of the kind of mobility 
involved in the 71-calculus. The (extract of) 7t -graph on the left describes three processes - A (left), B 
(center) and C (right) - evolving concurrently. The current state of each process is characterised by a 
token mark in the corresponding place. In the term representation given below the graph, each prefix in 
redex position corresponds to such a place with a token mark. We depict this by surrounding the prefix 
with a frame. To establish the link with the % -calculus, we added on the right a flowgraph representation 
of the system (cf. ifTTI ). The processes B and C share a private channel vc and in the first step, B 
communicates with C using this channel. The transmitted data is another private channel vd, initially 
only known by A and B. We are thus in a situation of channel passing. The process C binds the received 
name (here vd) to the box x. In the term representation, the instantiation is made explicit with the 
notation x i vd. The left name is the identifier for the box in the graph, which is a static information, 
and the right name describes its dynamic instantiation. As a convenience, the default instantiation n i n 
is simply denoted n. The corresponding flowgraph shows the scope extrusion of the channel vd so 
that it encompasses C. In the last step there is a synchronization between C and A along vd with the 
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Figure 2: Example with an iterator (abridged) 



It is possible to express non-terminating behaviors with 7i-graphs using iterators (3). The example 
of Figure [2] is a 7i-graph encoding a generator of fresh names. The iterator place is denoted *, which 
is marked in the first step. An iteration is started with an e transition, a low-level normalization step. 
In the term representation, each state is attached to a clock. As in lfl5l we can use logical clocks to 
generate names that are guaranteed fresh by construction. Consider the second transition on the figure. 
The redex is the output of the private name va on the public channel c. The effect of transmitting a 
private name over a public channel (a bound output) must be recorded. The box of the formerly private 
name va is then instantiated with 1 ! which is the new identity of the name. The generated name is the 
current value of the clock plus one suffixed by ! to mark the output (a suffix ? is used for fresh inputs). 
It is guaranteed fresh by construction and, to ensure this, the clock itself is incremented by one. The 
observation is recorded as a transition labelled c(l !), and we reach the terminating place 0. The iterator 
is then reactivated, and during this step the box va is reinitialized to its default value va i va. This makes 
the name va locally private to the iterator. There are also global private names or restrictions as in CCS, 
denoted e.g. vA, vB ... These are not reinitialized before the start of new iterations. We are now in the 
same state except the value of the clock was incremented by one. Thus, if we continue iterating the 
behavior, the recorded observations will be c(2!), c(3!), etc. resulting in an infinite generation of distinct 
names. 

The last example, cf. Figure [3j illustrates the interpretation of the match prefix. We study the 
evolution of the following behavior: c(va)d(x)[va = x]P. To anticipate the semantics of Table |2] (see 
pagel54l. we also indicate the names of the inferred transitions in the Figure. 

In the initial state, the logical clock value is 0. The first action is an emission of the private name va 
over the public channel c. This leads to the observation c(l !) and the clock value becomes 1. The second 
step is a reception from the public channel d, the received name is selected fresh and it is denoted 2?. The 
clock value is once again incremented. Now a match is performed, testing if the fresh names 1 ! and 2? 
can be made equal. The answer is positive because the name 1 ! has been sent before 2? is received. The 
justification of this causal link is simply the comparison of their respective clock value, i.e., 1 < 2. To 
perform the match we record in the context of the TT-graph, together with the clock, a (dynamic) partition 
of names wrt. equality. By default, all the names are considered distinct and thus the partition only 
contains singletons, which are left implicit for the sake of readability. In the final state, the partition is 
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Figure 3: Example of match (abridged) 



refined so that the singletons {1 !}, {2?} are replaced by their union {1 !,2?}. In this context (and thus in 
the continuation P) the two names are considered equal. Now, if we perform first the reception and then 
the emission, a causal link should not exist and we thus expect the two names cannot be made equivalent. 



Oh d(x) c(va)[va = x]P 



c<2!> 



> 2 h d(x i n)c(va i 2!) [(va i 2!) = (x i 1?)] P 



The match fails because the names 1 ? and 2 ! cannot be equated, which is because 2 < 1 does not hold. 

There are two distinct abstraction levels where the properties of the ^-graphs can be discussed: 
the process algebra level and the lower-level of the underlying graph model. We now give the basic 
definitions of the graph model. 



Definition 1. The set of names is J/ ' = jVfty ^ l+J ^1+) ^1+) ^ tfc) J/i with: 
J/f the set of free names a,b,. .. 
jV\, the set of hinder names x,y, . . . 
jV r the set of restrictions vA, vfi, . . . 
,yV p the set of private names va, vb, . . . 
,jV C) = {n\ | n £ N} the set of fresh outputs 
J/i = {n? | n G N} the set of fresh inputs 

We also define Priv = jV r U .jV p (private names), Pub = JV \ Priv (public names) and Stat = JV \ 
(yY U JVi) (static names) 

Definition 2. A configuration is a tuple % = {k, y,P, pt,B, bn,data, in,out,ctl,M,7) with 

• K G J^f a clock value ( see below ), 

• y C W(.yYf U J^\J jV^) a partition of names, 
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• P a finite abstract set of places, 

• pt : P — > {0, T, i, o, =, T7> *} ^ p/oce fy/jes, 

• B a finite abstract set of boxes, 

• bn : P — > Stat an injective function for box names, 

• data, in, out : P — > P U {±} c/ato, /ti/jw? a«<i output links, 

• ctl : P -> P(P) f/ie control links, 

• M : P — > {o,0} a marking function ( o redex, empty mark), 

• I : B —> Jf a box instantiation function. 

In Definition^ K, 7, M and / are the only dynamic elements; they will evolve through the application 
of the semantic rules, cf. Table |2] Initially, the partition 7 contains only the singleton subsets of the 
infinite set JVf U J\f\\J .yV () of names, / is bn and the marking M corresponds to the o-marking of the initial 
place of each iterator. An initial 7i-graph is a configuration that is well-formed according to the syntax 
rules of Table[T] A 7i-graph is a configuration that is both well-formed and reachable from an initial one 
by application of the semantic rules. Only well-formed 7i-graphs will be considered in the following. In 
order to keep the notations compact, we shall classically omit the singleton sets of a partition 7 (hence, 
initially, 7 = 0). 

A graph declares a set of free names (in jVf), denoted {a\ , . . . ,a,-), a set of global restrictions (in 
jV r ), denoted (vAi,...,vA;) and a parallel composition of k iterators, k > 1. An iterator declares a 
set of (locally) private names (in <Ap), denoted (vai , . . . , va n ), a set of binder names (in <Ab), denoted 
(xi , . . . ,x m ), and an iterated process P. The place labeled * is the initial place of the iterator. A process P 
is a non-empty sequence of prefixes p terminated by 0; the latter corresponds to a unique place, of type 0, 
represented with a double border. Each prefix has (see Table [U a unique terminating place, represented 
with a dashed border, which will be used to glue the prefixes together, and a unique initial place. A 
silent prefix has no box and an initial place labeled z. An output prefix <& 1 <p(A 1 8), whose initial 
place is labeled o, allows to emit a formal name A, instantiated by 8, on a channel with a formal name <!>, 
instantiated by <p . This is indicated by a data (dotted) and an output (plain) link, respectively. Each formal 
name is represented by a box with the instantiated name inside. We systematically omit box identities 
if they are the same as their instantiation. Initially, it is in the form <& 1 3>(A 1 A), usually condensed in 
0(A), and in the graphical representation, the identity of the nodes is omitted if it is considered irrelevant, 
or may be inferred by the context. An input prefix <1> 1 (p(x), whose initial place is labeled i, allows to 
receive an instantiation for the formal name xona channel with a formal name <1>, instantiated by 0. This 
is indicated by a data and input link, respectively. A match prefix [<I> 1 <p = A 1 5], whose initial place 
is labeled =, allows to identify a formal name A, instantiated by 8, with a formal name <!>, instantiated 
by (p. This is indicated by two data links. A choice prefix £[Pi + . . . +P„] allows to choose one out 
of several processes Pi to P„ ; it starts with a place labeled £ connected to the starting place of each of 
those processes, and each terminating place of a process is connected to the terminating place of the 
choice prefix. A parallel prefix Y\[Pi + . . . +P„] allows to activate simultaneously all the processes Pi to 
P„; it starts with a place labeled JT connected to the starting place of each of those processes, and each 
terminating place of a process is connected to the terminating place of the parallel prefix. 

A clock model is a type J(? associated to a set of operations with the following signatures: in it : 
JfT; in, out : — > Jf; nextj, next Q : — > N; -<: x J{ x jV{ — > B. In the semantics (cf. the next 
Section), it is assumed that every transition path starts with the initial clock value in it. The function in 
(resp. out) is used to update the clock when an input (resp. an output) is performed. The identity of 
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the fresh names is generated with next; (fresh input) and next Q (fresh output). The read-write causality 
ordering is expressed by the -< relation. A triplet (K,nl,m?) G^; is denoted n\ -< K ml. 
In the following we will be interested in a freshness property of a clock model. 

Definition 3. Let n be a graph with clock K and instantiation I, then n satisfies the freshness constraint 
if: next (fc)! g cod (7) A next^fc)? G" cod(7). 

Notice that any initial graph satisfies the freshness constraint since cod (7) n (.J/^jVo) = 0. 

A clock model satisfies the freshness constraint if for any % reachable from an initial one using the 
evolution rules described in the next section, the freshness constraint is preserved. 

The simplest model of logical clocks is such that Jjf = N with: 
init = 0,out(fc) = next (fc), in(jc) = nextj(jc), next (jc) = nextj(fc) = fc+ 1 and n\ < K rnt iff n < m. Such 
logical clocks trivially satisfy the freshness constraint. 

3 Operational semantics 

The operational semantics for the 71 -graphs provide the meaning of the one-step transition relation 
(the dot symbol denotes an arbitrary label). The rules of Table [2] describe the local updates of a global 
graph K = (k,P, pt,B, bn,data, in,out,ctl,M,7). Most rules are of the form 

K;jhpP A k'; / h p'P' 

where fc;y is the global context of the rule. The left-hand side (LHS) is a pattern describing a local 
context composed of a prefix p and its continuation P. The right-hand side (RHS) is an updated version 
of the local context. The rule is applicable if a subgraph of % matches the LHS. In this case a (global) 
transition labelled a occurs and the matched subgraph in % is updated according to the RHS. The global 
context of % may also be updated. For example, the LHS of the [silent] rule identifies a sub-graph of 7t 
consisting of a place p G P such that pt(p) = % and M(p) = o, followed by its continuation^- The RHS of 
the rule describes the next state %' with a global context unchanged. The local context is updated so that 
the token in p is passed to the initial place q of the continuation, i.e., in the image n', we have M'(p) = 
and M'(q) = o. We put a frame around a whole process to denote the presence of a token o in its initial 
place. The inferred transition carries the label x, which corresponds to a silent transition. 

The [par] rule is similar to the silent step except that the token is replicated for all the continuation 
places, simulating the fork of parallel processes. The latter works in conjunction with the [paro] rule, 
which waits for all the forked processes to terminate before passing the token to the continuation place. 
We use a suffix to make explicit the termination place of the process when required. The iterators are 
operated in a similar way using the [iter] and [itero] rules. As illustrated in the example of Figure|2l each 
box b for private or binder names (bn(b) G ^VpLS^Ab) is reinitialized (1(b) = bn(&)) at the end of each 
iteration. 

The choice operator requires as in the % -calculus to play "one move in advance": the [sum] rule 
applies if we can follow a branch of the choice such that at some point an observation can be made, 
possibly after an arbitrary - but finite - sequence of £-transitions (cf. Lemma©. 

The communication rules are critical components of the semantics. The [out] rule applies when a 
process emits a public value using a public channel (i.e., in set Pub). The effect of the rule is to produce 
a transition with the observation as a label. The LHS of the [o-fresh] rule matches the emission of a 

'According to the syntax (cf. TableQJ, the continuation of a prefix is either a place or the initial place of the next prefix in 
the sequence. 
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Table 2: The operational semantics rules. 
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private name over a public channel. As explained in the example of Figure |2 the principle is to generate 
a name that is guaranteed fresh by construction. This is obtained by taking the next value of the current 
clock, which gives next (fc)!. To preserve the freshness constraint (cf. Definition [3]>, the clock itself is 
updated. For example, if K is a logical clock assigned to the value 3 then the generated fresh name is 
denoted 4! (fresh by construction) and the clock evolves to the value 4. 

The rule for input is quite similar to the output ones. When a name is received from the environment, 
the [i-fresh] rule generates a fresh identity nextj(fc)? for it and records the observation. 

The rule [sync] is for a communication taking place internally in a 71-graph. The LHS of the rule 
matches two subgraphs in distinct parallel processes , one is an output prefix with a o-token and the 
other one a corresponding input also with a o-token (and both with their respective continuations). The 
rule can be triggered either if the two processes belong to different parallel branches of execution within 
the same iterator, or if they are components of two distinct iterators. In both cases, the effect of the 
rule is the same: the tokens are passed to the respective continuations and the box of the input prefix is 
instantiated with the emitted value. Similarly to late congruence for the 7r-calculus, the communication 
can be triggered if the partners potentially agree on the name of the channels. The communication rule 
thus "incorporates" the semantics of the match prefix. 

The matching of names is a central aspect of the proposed semantics. It is indeed required in both 
the [match] and [sync] rules. As illustrated by the symbolic semantics of [2], matching in the 7T-calculus 
is non-trivial because equality on names is dynamic, i.e. two distinct names a, b can be made equal 
through a match, under certain conditions. In this work, the conditions we use relate to a form of read- 
write causality [4 ]. Instead of just comparing names, the equality relation on names can be dynamically 
refined by updating the partition y (cf. the last example of Section |2]). The condition for the matching of 
two names 8, 8' under some clock fc is denoted S^ K 8'. 

Definition 4. -h-^ is the smallest reflexive and symmetric binary relation on JV such that 8-^ K 8' if 
(5,8' e^y f U^f)V(5 = n\ 6^A5' = m?64An^m) 

If 8 is a free (public) name (8 G jVf), there are two possibilities for 8' to match it: either it is also 
a free name or it belongs to the set of fresh input names. Indeed, we may always receive a public name 
from the environment. If both names correspond to (fresh) inputs, they may also be equated. The most 
delicate case is when 8 is a fresh output and 8' a fresh input. As illustrated in Section 13, the names can 
only be equated if the input is causally dependent on the output. 

The partition of names yean be refined by a new equality 8 = 8' using the notation y < $ = $i, if 8 and 
8' are compatible, which is denoted 8<r^ K 8'. 

Definition 5. Let y be a partition of names, K a clock and 8 and 8' names. 
1. 8<^ K 8' iffVn G [<5] r ,Vm G [8 ] r : «o K m, 
2- 7<5=5' = (Y\{[S)y, [8%}) U {[8} 7 U [8%} ifS& K S'. 

This updates the partition so that a new equality holds, but only if the two names can actually be made 
equal. The notation [S]y denotes the equivalence class of 8 in the relation y. The following proposition 
plays a role in the finiteness results of Section HI 

Proposition 1. Let % a graph with partition y. For any E G y, n\ G E ==> E\{n\} C JV[ 



Proof. This simply says that fresh output names can only be made equal with (fresh) input names, which 
is a direct consequence of Definition|4j Definition^ the way it is used in the operational semantics, and 
the fact that initially all classes are singletons. □ 
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A central property for the remaining developments is that there is a finite bound on the length of 
£-sequences involved in the semantics. To demonstrate this result, we first need to introduce the notion 
of full path of a (terminated) process. 

Definition 6. Let PO be a process. A full path of it is a sequence o of transitions leading from |~P~| to 
Lemma 1. No full path may be an e-sequence. 

Proof. The demonstration is by a simple structural induction on the syntax. First, the termination 
cannot be preceded by a match. Moreover, the property holds by induction for the parallel and sum 
sub-processes, which are the only prefixes able to generate an £ at the end of a full path. □ 

Lemma 2. For any graph K, there is a finite bound on the length of the s-sequences it may generate. 

Proof. First, note that we may neglect synchronisations, since they yield T-transitions and not £-ones. If 
there are several iterators, we may interleave their longest £-sequences and a bound is provided by the 
sum of the bounds of each component iterator. For any iterator *[P0], we know from Lemma[T]that no £- 
sequence of P may be both initial and terminal in a full path it generates; hence, besides the £-sequences 
generated by P, we may also have a terminal one followed by [itero], followed by [iter], followed by 
an initial one (and we may not loop indefinitely on full e-paths), so that a bound is provided by twice 
the bouncH for P, plus 2. \i P = p\p%. ..p n , & bound for the length of its £-sequences is given by the 
sum of the bounds for each prefix /?,.The bound for the silent, input and output prefixes is 0; the one for 
the match is 1; a bound for the parallel prefix is the sum of the bounds of its components, plus 1 if all 
the corresponding £-sequences are initial or (exclusively) terminal; a bound for the choice prefix is the 
maximum of the bounds of its components, plus 1 (usually less since the initial £-sequences are shrunk 
here). □ 

A fundamental characteristic of the proposed semantics is that it yields ground transitions, involving 
only simple labels (no binders, equations, etc.). 

Definition 7. Let n be a graph. We denote lts(7i) = {Q,T) its labelled transition system with Q the 
set of graphs reachable from %, and T the set of triplets of the form (k',CC,k"), such that we can infer 

%' %" , a / £, with the rules of Tabled 

The abstraction from £ -transitions, guaranteed finitely bound by Lemma 12 is an important part of 
the definition because the normalization steps should not play any direct behavioral role. 

A first - important - step towards finiteness is as follows. 
Lemma 3. For any graph %, lts(?r) is finitely branching. 

Proof. Only the [sum] rule has directly more than one image. By Lemma [2] the initial £-sequences for 
each branch of the sum have a finite, bounded length, hence there are finitely many of them. Moreover, 
there can be only a finite number of branches in a sum, which bounds the number of images. 

The other source of image-multiplicity is the interleaving of parallel iterators and/or sub-processes, 
but there are finitely many of them in a 7T-graph. □ 

Based on such (abstracted) labelled transitions, a ground notion of bisimilarity naturally follows. 
Definition8. (bisimilarity) 

Bisimilarity ~ is the largest symmetric binary relation on %-graphs such that 

2 Better bounds could be obtained by separately evaluating bounds for initial, terminal and intermediate e-sequences of P. 
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4 Causal clocks and decidability results 

There are two sources of infinity in the basic % -graph model. First, the partition 7 contains initially the 
singleton subsets of the infinite set JVf U J/[ U JY , (only the free, and fresh input/output names can be 
made equal). We need a way to only retain the names that are actually playing a role in the behavior of 
the considered 7i-graph. Moreover, logical clocks can evolve infinitely. An example is the fresh name 
generator of Figure [2] To avoid the construction of infinite state spaces, we first introduce an alternative 
to logical clocks. 

Definition 9. A causal clock k, in the context of an instantiation function I, is a partial function in 

({L}\JJQ -)-P(^) with 

• init = {±^0} 

• out(fc) = fcU{next (K-)! H> 0} 

• in(fc) = {o (-)• (k(o) U {nexti(fc)?}) | o G dom(K)} 

• nextKfc) = min(N+\{7i | n? G L)cod(jc)}) 

• nexto('c) = min (N + \ {n | n\ G dom(fc)}) 

• n\ ^ K ml = n\ G dom(fc) Am? G K{n\) 

The names of a clock are nm(K:) = dom(K:) \ {_L} U Ucod(fc). 

Intuitively, fc(«!) gathers all the input names ml that were created after n\ when the latter was instan- 
tiated, and fc(_L) gathers all the input names ml that were created, even those that were created before 
any n\. This is the minimal amount of information required to record read- write causality on names. 

For example, next (init) = 1, fc = out(init) = {_L 1— ^ 0,1! 1— > 0}, k' = in(K-) = {_L i-> {1?},1! H- 
{1?}}, and nm(K: / ) = {1 !, 1?}. In k' , the input name 1? is causally dependent on the output 1 !. 

As a second "counter-measure" against infinity, we do not record explicitly (but assume) the singleton 
sets in the partition. Moreover, we require the garbage collection for unused names in graphs. 

Definition 10. The garbage collection gc(7i) of unused names in a graph % with causal clock K, partition 
y and instantiations I is % with updated clock k' and partition / such that 
i = {E n {Jf f U JV U cod(/)) l E G 7} \ {0} 

K ' = {d h> K(d) n cod(7) I d G dom(fc) A {d = _L V d G cod(7) V {{d} /))} 

For initial graphs, gc(n) = %. The clock only references instantiated input and output names, plus 
the output names that are not instantiated but equated to one or more input names. 

From now on we only consider (reachable) garbage-free graphs, i.e. with unused names implicitly 
removed. This amounts to consider the LTS Its(Ti) = {(^ / ,a,gc(7T // )) | (7t',a,n") results from Def.|7]}. 

Proposition 2. Let K be a garbage-free graph with clock K, partition 7 and instantiation I: 

1. dom(fc) = (cod(7)n^)U{cf G jV \{d] 07}U{_L} and 

2. Ucod(fc) = cod(7)n^f. 

Hence nm(ff) = (cod(7) n (^U^) U {«! G^|{n!} 7}. 

Proof. These are direct consequences of Definition |9] and Definition [TOl combined with an induction on 
the derivation rules. 

Initially, |J C0C Kk") = = cod(7) fl4 dom(K) = {_!_}, cod(7) C\^V = and 7 is only composed of 
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singletons. 

When a new input name is created by rule [i-fresh], it is added both to cod(7) and to k:(_L). 
When a new output name is created by rule [o-fresh], it is added both to cod (7) and to dom(ff). 
When an input name is no longer used by 7, it is suppressed from cod(fc). 

When an output name is no longer used by 7 and it is not equated to some input names, it is suppressed 
fromdom(fc). □ 

Proposition 3. Causal clocks preserve the freshness constraint. 

Proof. Let % be a graph with causal clock K and instantiation 7. By Definition [9j we have next Q (K:)! ^ 
dom(jc) and nexti(fc)? ^ IJcod(K). By Proposition |2] we deduce next (K)! ^ cod (7) and next^K - )? ^ 
cod (7) □ 

The example of Figure[2]generates, with the logical clocks, an infinite number of states and transitions 

c(l !) , c(2!) , Using the causal clocks and garbage-free graphs, the behavior collapses to a single state 

(i.e., a single ~-equivalence class) and transition c(l!}, which is valid because the name 1! is not used 
locally and can thus be reused infinitely often. 

We now consider the evolution of the clock along transition paths from a more general perspective. 
A fundamental property is that the clock may take only a finite number of values. 

Lemma 4. Let a transition system lts(?r) = (Q,T) and consider the causal clock Kq of each state Q: 
U e cod(K Q )C{l?,2?,...,|7*|?}. 

Proof. First, a direct consequence of Proposition 12^2) is that HJgCod(fCg)| < \B\, since |cod(7)| < 
|dom(7)| = \B\. Initially, (JgCod(fCg) = 0- The unique way to increase the size of the codomain of a 
clock (by one) is through an [i-fresh] transition. If, at that point, k is the first integer such that k? is 
missing in UgCod(fCg), it will be added to it. Thus we shall have either Ugcod(ffg) = {1?,2?, . . . , (k — 
+ becomes {1?,2?, . . . , (k - l)?,jk?, (k + A)?. . .} or U e cod(fC e ) = {1?,2?, ... ,(k — 1)?} 

becomes {1?,2?, ... ,(k— 1)?,&?}. Hence the property. □ 

For the fresh outputs the situations is similar, but for a slightly different reason. 

Lemma 5. Let a transition system lts(7r) = (Q, T) and consider the causal clock Kq of each state Q: 
dom(K- G )C{±,l!,2!,...,|B|!}. 

Proof. From Proposition |2j we know that dom(K"g) always contains _L and the instantiated output names; 
let us assume there are k of the latter; there are thus at most |7?| — k instantiated input names; now each 
non-instantiated output name may only be equated by y to instantiated input names and there is no 
intersection between the latter; hence there are at most |7?| — k non-instantiated output names left in 
dom(K"g). Then, the reasoning is similar to the one for Lemma[4] □ 

Lemma 6. Let %he a graph with causal clocks, and lts(7r) = (Q, T) its corresponding transition system. 
The sets Q and T are of finite size. 

Proof. Each state of Q is a reachable configuration following Definition [2] Infinity can only result 
from the parts of the configuration that evolve along transitions, i.e., the clock fc, the partition 7, the 
instantiation 7 and the marking M. There is a finite bound for the number of possible markings (2 P 
where p is the number of places in the configuration). Lemmas [4] and [5] assert that the set of reachable 
(causal) clocks is also finite. For the instantiation 7, only the number of input and output fresh names 
may increase. We can deduce from Proposition [2] that cod (7) n (■jVi ] J.yV ) C nm(fc) and thus the set of 
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reachable instantiations is also finite. We can then observe that, from the previous definitions, the non- 
singleton classes in a partition only contain names in cod(7) U nm(fc), hence the number of reachable 
partitions is finite. In consequence there are only finitely many reachable configurations, thus Q is finite. 
Finally, by Lemma [3] we know that T is image-finite and a finitely branching relation over the finite set 
Q is finite. □ 

Theorem 1. Bisimilarity for n-graphs with causal clocks is decidable 
This important result is a direct consequence of Lemma[6l 



5 Related work 

The design of visual languages for mobile systems has been investigated in Milner's 7i-nets [10] and 
Parrow's interaction diagrams lfl4l . The TT-graphs try to convey the "inventiveness" of such attempts but 
building on more formal grounds and with an emphasis on practicability from a modelling perspective. 
The main characteristic of our formalism, from this point of view, is the fact that the structure of the 
graphs remains static along transitions. This is a major difference when compared to other graphic 
variants of the TT-calculus Q, including the dynamic TT-graphs lfl5l . From a technical standpoint this 
design choice has a profound impact on the semantics. Instead of relying on more expressive graph 
rewriting techniques Qdl, we exploit an inductive variant of graph relabelling [8]. The inductive 
extension is used to characterize the choice operator. A lower-level implementation is possible (see 
e.g. (21) but inductive rules provide a much more concise characterization. 

Similarly to Petri nets, the motivation behind the 71 -graphs is not limited to modelling purposes. The 
formalism should be also suitable for the automated verification of mobile systems. There are indeed only 
a few verification techniques and tools developed for the 7r-calculus and variants. Decision procedures 
for open bisimilarity are proposed in e.g. |fT6l[17l . The techniques developed are not trivial and specific to 
the 71-calculus (or also the fusion calculus in recent versions of lfP7l ). In comparison, the 7i-graphs rely 
on ground notions of transition and bisimulation, which means standard techniques and existing tools 
can be directly employed. There is a connection between the symbolic semantics used to characterize 
open bisimilarity and the partition y in the % -graph configurations. Instead of recording equalities in 
transitions, we record the effect of the equality directly in the states. This means it is never required to 
"go back in time" to recover a particular equality. Moreover, we think a similar mechanism can be used 
to implement the mismatch construct. Open bisimilarity enjoys a much desired congruence property. It 
remains an open question whether bisimilarity on 7i-graphs is a congruence or not. We conjecture this is 
the case, e.g. a(x)[x = b]b(c) and a(x)0 are properly discriminated. However the formal proof is left as 
a future work. 

Another approach is to translate some 7i-calculus variant into another formalism with better potential 
for verification. A positive aspect is that this makes the verification framework (relatively) independent 
from the source language. The other side of the coin is that it is more difficult to connect the verification 
results (e.g. counter-examples) to the modelling formalism. The early labelled transition systems for the 
71-calculus can be translated to history dependent automata (HDA) lfl2l[T3l . The states of HDA contain 
the sets of active (restricted) names, and the transitions provide injective correspondences so that names 
can be created and, most importantly, forgotten. This gives a local interpretation of freshness whereas 
the 7T-graphs use a global interpretation using clocks. Unlike HDA, the problem of garbage collecting 
unused names in TT-graphs can be decided by inspecting the current state of the computation. HDA is an 
intermediate semantic-level formalism. They are produced from process expressions and can in turn be 
unfolded as plain automata. With 7i-graph, we are able to produce basic (ground) automata directly. 
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There are also various translations of Pi-calculus variants into Petri nets. In [5 ] we propose a trans- 
lation of the 7T-calculus into finite high-level Petri nets (with read arcs), using basic net composition 
operators. Beyond the use of a high-level (and Turing-complete) model of Petri nets, another issue we 
face is the encoding of recursive behaviors as unfolding. Indeed, the verification problems are only de- 
cidable for recursion-free processes in this framework. In (9J an alternative translation to lower-level 
P/T nets is proposed. The translated nets cannot be used as modelling artifacts. First, they may have a 
size exponentially larger than the initial 7i-calculus terms. Moreover their structure does not reflect the 
structure of the terms but corresponds to behavioral properties: the places are connection patterns and 
the tokens instances of these patterns. However, the translation is particularly suitable for the verification 
problem. Indeed, the translated P/T nets have a finite size for a class of structural stationary systems, 
which is strictly larger than finite-control processes. Note, however, that the membership problem for 
this class is undecidable. Moreover, it is not a compositional property. The iterator construct is slightly 
more expressive than the finite-control class of processes. The latter can be encoded using iterators and 
the communication primitives. But it is also possible to encode behaviors in which the number of ac- 
tive threads changes along iterations (although their number must be bound). Unlike the 7i-graphs, only 
the reduction semantics for closed systems are considered in @. As explained in Q, the switch from 
the reduction to the transition semantics is not trivial. Recent works, e.g. (T), suggest the use of bor- 
rowed contexts (BC) to derive transition systems (and bisimulation congruence) from graph grammars. 
In the 7r-graphs, we propose an alternative technique of deriving transition labels from node attributes, 
which we find simpler. However, we cannot derive any congruence result from the construction. To our 
knowledge the 7i-calculus has not been fully characterized in the BC framework. 



6 Conclusion and future work 

The 7r-graphs is a visual paradigm for the modelling and verification of mobile systems. It has constructs 
very close to the 7i-calculus, although strictly speaking it is more a variant than a graphical encoding. 
We plan to establish stronger connections between (traditional) variants of the 7r-calculus and the %- 
graphs. In particular, we conjecture % -graph bisimilarity to be close to late congruence. For the latter, it 
seems cumbersome to work directly with the TT-graphs, because they involve relatively complex process 
contexts. A privileged direction would be to translate the graphs back into a variant of the TT-calculus, 
and study the meta-theory at that level. 

For verification purposes, the 7i-graphs with iterators enjoy appealing properties: the semantics rely 
on ground notions of transition and bisimulation, and their state-space is finite by construction. However 
the size of the LTS can be exponentially larger than the initial graphs. To cope with this state explosion 
problem, we plan to complement the traditional interleaving semantics developed in this paper by more 
causal semantics. An interesting approach is to slice the semantics by analyzing independently each iter- 
ator of a graph. Instead of interleaving the slices it is possible to relate them in a causal way, considering 
the fact that the only transitions across iterators are synchronizations. Seen as an intermediate model, the 
7r-graphs - in particular the iterator construct - offer a major simplification to our own Petri net translation 
of the 7r-calculus 0. We think a lower-level Petri net model can be used in the translation, with better 
dispositions for verification using existing Petri net tools. 

Last but not least, we plan to integrate the static variant of the 7i-graphs, as presented in this paper, 
in our prototype tool available onlinqj. 

3 cf. |http : / /lip6 . f r/Frederic . Peschanski/ pigraphs, 
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